On Wed, 2013-02-20 at 22:28 +0100, Stefan Fritsch wrote: > [moving to dev@apr, please remove dev@httpd when replying] > > On Wednesday 20 February 2013, Noel Butler wrote: > > On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote: > > > Which remains my point... our current 2.4 and 2.2 candidates > > > should suffer the same flaw. > > > > Confirmed, 2.2 candidate suffers same problem > > > I hope I did not miss this somewhere in the thread, but have you tried > running the apr-util 1.5.1 test suite (i.e. make check)? It has some > checks for apr_password_validate >
it reports success but... <snip> crypt_r returned 'nHZA1rViSldQk' SUCCESS testmd4 : SUCCESS testmd5 : SUCCESS testcrypto : SUCCESS testdbd : SUCCESS testdate : SUCCESS testmemcache : SUCCESS testxml : SUCCESS testxlate : SUCCESS testrmm : SUCCESS testdbm : SUCCESS testqueue : SUCCESS testreslist : SUCCESS All tests passed. it doesn't seem to test for salted md5, let alone shaxxx NOTE: replying here since I'm not on dev@apr I'll fix that in a minute though.
signature.asc
Description: This is a digitally signed message part
